Chapter 1. Introduction

This chapter introduces the Balabit’s Privileged Session Management, Shell Control Box (PSM, formerly called SCB) in a non-technical manner, discussing how and why is it useful, and what additional security it offers to an existing IT infrastructure.

What PSM is

Balabit’s Privileged Session Management, Shell Control Box (PSM, formerly called SCB) is a part of Balabit's Privileged Access Management solution. PSM is a device that controls, monitors, and audits remote administrative access to servers. It is a tool to oversee server administrators and server administration processes by controlling the encrypted connections used in server administration. It is an external, fully transparent device, completely independent from the clients and the servers. The server- and client applications do not have to be modified in order to use PSM — it integrates smoothly into the existing infrastructure.

PSM logs all administrative traffic (including configuration changes, executed commands, and so on) into audit trails. All data is stored in encrypted, timestamped and signed files, preventing any modification or manipulation. In case of any problems (server misconfiguration, database manipulation, unexpected shutdown), the circumstances of the event are readily available in the audit trails, thus the cause of the incident can be easily identified. The recorded audit trails can be displayed like a movie – recreating all actions of the administrator. All audit trails can be indexed, enabling fast forwarding during replay, searching for events (for example mouse clicks, pressing the Enter key) and texts seen by the administrator. Reports and automatic searches can be configured as well. To protect the sensitive information included in the communication, the two directions of the traffic (client-server and server-client) can be separated and encrypted with different keys, thus sensitive information like passwords are displayed only when necessary.

PSM has full control over the SSH, RDP, Telnet, TN3270, TN5250, Citrix ICA, and VNC connections, giving a framework (with solid boundaries) for the work of the administrators. The most notable features of PSM are the following:

  • Disable unwanted channels and features (for example TCP port forwarding, file transfer, VPN, and so on)

  • Enforce the use of the selected authentication methods (password, publickey, and so on)

  • Require out-of-band authentication on the PSM gateway

  • Enforce four-eyes authorization with real-time monitoring and auditing capabilities

  • Audit the selected channels into encrypted, timestamped, and digitally signed audit trails

  • Retrieve group memberships of the user from an LDAP database

  • Verify the hostkeys and host certificates of the accessed servers

PSM is configured and managed from any modern web browser that supports HTTPS connections, JavaScript, and cookies.

What PSM is not

PSM is not a firewall. Although it uses advanced firewall technologies, it is an access controlling and auditing device focusing on server administration processes. Actually, it is a device that controls, monitors and audits remote administrative access to servers.

PSM monitors only the passing traffic of administrators accessing the servers remotely. Consequently, it cannot protect the server from local access, nor can it detect such events. If someone has access to a protected server from a local console, then anything that user does is beyond the capabilities of PSM.

PSM can be used to control administrative access to the servers. In case of large server farms, it provides a simple way to change or restrict access policies, for example, to disable password-based authentication in SSH, control RDP channels, or to deny the account of an administrator, without having to modify the configuration of each server one-by-one. However, PSM does not and should not be used to replace the proper configuration of the servers, as perfunctory server configuration inevitably introduces security risk beyond the scope of PSM.

Why is PSM needed?

Server administration must be audited in order to record all important events about a server. However, — for security reasons — servers are almost exclusively administered using encrypted protocols, making system administration difficult to monitor and audit. To achieve reliable auditing, data collection has to be transparent and independent from the client and the server. Otherwise, a skilled administrator (or attacker) could manipulate the logs to mask the traces of his actions or other events. PSM solves exactly these problems by transparently monitoring the encrypted channels used in administration and introducing a separate auditor layer to oversee system administrators.

The RDP (including VMware Horizon View), Citrix ICA, and VNC-auditing capabilities of PSM are beneficial to record and archive the actions performed on thin-client applications, and helpdesks.

Auditing SSH, Telnet, TN3270, and HTTP with PSM is useful to record and archive the administration of networking devices.

Who uses PSM?

PSM is useful for everyone who has a server and has to control and audit the activities of the administrators. In particular, PSM is invaluable for:

  • Policy compliance: Certain regulations — such as the Sarbanes-Oxley Act (SOX) or Basel II — require the financial director of an organization to certify that all financial data they provide to the authorities is accurate and has not been modified. Other industries have similar regulations (like the Health Insurance Portability and Accountability Act (HIPAA), or the Payment Card Industry Data Security Standard (PCI DSS)) about protecting personal or credit card information. Such data is usually stored in a database on a central server, and is accessible only via dedicated applications, such as the accounting software. These applications always create the logs and reports necessary for policy compliance. However, these applications are aware only of legitimate accesses to the database. The server storing the database has to be accessible also by server administrators for maintenance reasons. Having superuser privileges on the server, these administrators have the possibility to directly access and manipulate the database, and also to erase the traces of such actions from the server logs. However, PSM can audit the actions of the administrators, complementing the logs and reports of other applications.

  • Organizations having outsourced IT: Many organizations hire external companies to configure, maintain, and oversee their servers and IT services. This essentially means that the organization is willing to trust the administrators of this external company with all their data (for example private and business e-mails, customer information, and so on), or even with business-critical services like the operation of their online shop. Obviously, in such situations it is reassuring to have an independent device that can reliably log all administrative activities. PSM does exactly this — it provides detailed information about any problems with the server, making it easy to find those responsible. Using the four-eyes authorization method, PSM provides real-time control over remote server access and administrative actions.

  • Organizations offering remote management: Organizations on the other end of the outsourcing line — like server- and webhosting companies — can equally benefit from PSM. It gives them the possibility to oversee and audit the administrators, and is also a great tool to evaluate their effectiveness. The recorded audit trails can also be used as evidence to settle any issues about the remotely administered servers. PSM also improves the control over Service Level Agreements (SLA), as the fulfillment of the services can be verified using the recorded audit trails and access reports.

  • Organizations using thin-client infrastructures: PSM can audit the channels used in popular thin-client solutions, providing an application-independent way to record and monitor the activities of every client.

  • Organizations in need to control SSH: Many organizations have to permit outgoing SSH connections, but do not wish to do so without control, as virtually any other protocol can be tunneled into SSH. PSM can control what type of traffic is permitted in an SSH connection, and can separately enable the different traffic types like terminal connections, SFTP file transfers, port- and X11 forwarding, or agent-forwarding.

  • Organizations using jump hosts: Many organizations use jump hosts to access remote servers or services. PSM can be used to authenticate and audit every access to the jump hosts. Since PSM supports strong authentication methods (for example, X.509 certification based authentication) and authentication to user directories (for example Microsoft Active Directory and other LDAP databases), it can greatly simplify the key and password management of the hosts. This is especially useful if an organization has to access very many remote hosts, or has lots of jump hosts.